I am wondering if anyone can help me with ideas/advice on how to implement authentication that works for a single page app (SPA) I'm building & for external API access.
I'd like both the SPA and external API access to work from the same routes and controllers so that people can choose to implement their own front-end should they wish.
I would like to go for a JWT implementation for the SPA so that I can have the user log in and store the JWT in secure cookies or something. I'm flexible on this though as I just need something that works for SPAs alongside the basic-auth API access.
For users of the API to be able to use an 'API Key' via HTTPS Basic Auth, as it is usually the easiest for beginners to implement as I'm targeting that particular group. Think of Stripe for this part.
Is this doable or will I need to essentially duplicate the necessary routes with slightly different urls and use each middleware separately, or is there a better way you can think of? Been toiling this for a while and can't come to any firm conclusion.
I've just had another quick think about this and thought I'd log it here - not decided if I will use it or not yet.
Possible solution:
Have the SPA log in with user credentials that return a pre-set api key for that user. The SPA then uses HTTPS basic auth with the api key like any other web client would. This eliminates the need for duplicate routes with different URIs I think.
Any opinions or further ideas on this would be appreciated!
Another edit:
I think I have decided this is 'custom' enough to make a custom user provider. I'll simply check if they have supplied an api key or whether they supplied a JWT token, and appropriately validate it with that. That way both the SPA and any external API integrations can use the same routes, and I don't force users to use JWTs which may not make sense for their integration.
